Security: LeakSanitizer: detected memory leaks in v8
Reported by
lu...@princeton.edu,
Sep 7 2016
|
||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Security bugs are normally made public once a fix has been widely deployed. VULNERABILITY DETAILS Running the attached asan_crash.js on an asan build of v8 from tip, and v8 commits 3807927f46dda120dd7c5192e1313a1188cae83a, and c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 (corresponding to beta/dev/stable) cause the following asan output. Strangely enough, I can't reproduce this when downloading the prebuilt asan binaries in https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=linux-debug/, so maybe this is a false positive. Do you know why my builds produce an asan crash but not the prebuilt binaries? I've also run the attached asan_crash.js with valgrind on d8 builds without asan, and I get similar memory leak messages. ================================================================= ==31577==ERROR: LeakSanitizer: detected memory leaks Direct leak of 272 byte(s) in 1 object(s) allocated from: #0 0x4a2eeb in __interceptor_malloc /home/development/llvm/3.5.2/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x1d1a1aa in icu_56::Collator::createInstance(icu_56::Locale const&, UErrorCode&) (/root/v8-asan-beta/out/Release/d8+0x1d1a1aa) #2 0x1cadc6a in v8::internal::(anonymous namespace)::CreateICUCollator(v8::internal::Isolate*, icu_56::Locale const&, v8::internal::Handle<v8::internal::JSObject>) (/root/v8-asan-beta/out/Release/d8+0x1cadc6a) #3 0x1cad9e3 in v8::internal::Collator::InitializeCollator(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::JSObject>) (/root/v8-asan-beta/out/Release/d8+0x1cad9e3) #4 0x19b3cfb in v8::internal::Runtime_CreateCollator(int, v8::internal::Object**, v8::internal::Isolate*) (/root/v8-asan-beta/out/Release/d8+0x19b3cfb) #5 0x2b72f6406146 (<unknown module>) #6 0x2b72f6469695 (<unknown module>) #7 0x2b72f6468a02 (<unknown module>) #8 0x2b72f6407cb4 (<unknown module>) #9 0x2b72f6407955 (<unknown module>) #10 0x2b72f64685e1 (<unknown module>) #11 0x2b72f6407cb4 (<unknown module>) #12 0x2b72f6468280 (<unknown module>) #13 0x2b72f6407cb4 (<unknown module>) #14 0x2b72f64421a2 (<unknown module>) #15 0x2b72f642592e (<unknown module>) #16 0xbf50d1 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) (/root/v8-asan-beta/out/Release/d8+0xbf50d1) #17 0xbf4a0b in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) (/root/v8-asan-beta/out/Release/d8+0xbf4a0b) #18 0xf94af3 in v8::internal::JSReceiver::OrdinaryToPrimitive(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::OrdinaryToPrimitiveHint) (/root/v8-asan-beta/out/Release/d8+0xf94af3) #19 0xf15ff7 in v8::internal::JSReceiver::ToPrimitive(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::ToPrimitiveHint) (/root/v8-asan-beta/out/Release/d8+0xf15ff7) #20 0xf1dc51 in v8::internal::Object::Add(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) (/root/v8-asan-beta/out/Release/d8+0xf1dc51) #21 0xe062b5 in v8::internal::BinaryOpIC::Transition(v8::internal::Handle<v8::internal::AllocationSite>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) (/root/v8-asan-beta/out/Release/d8+0xe062b5) #22 0xe07902 in v8::internal::Runtime_BinaryOpIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) (/root/v8-asan-beta/out/Release/d8+0xe07902) #23 0x2b72f6406146 (<unknown module>) #24 0x2b72f642a0d1 (<unknown module>) #25 0x2b72f646803e (<unknown module>) #26 0x2b72f64421a2 (<unknown module>) #27 0x2b72f642592e (<unknown module>) #28 0xbf50d1 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) (/root/v8-asan-beta/out/Release/d8+0xbf50d1) #29 0xbf4a0b in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) (/root/v8-asan-beta/out/Release/d8+0xbf4a0b) Indirect leak of 864 byte(s) in 1 object(s) allocated from: #0 0x4a2eeb in __interceptor_malloc /home/development/llvm/3.5.2/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x1e1bc3a in icu_56::RuleBasedCollator::setAttribute(UColAttribute, UColAttributeValue, UErrorCode&) (/root/v8-asan-beta/out/Release/d8+0x1e1bc3a) SUMMARY: AddressSanitizer: 1136 byte(s) leaked in 2 allocation(s). VERSION Chrome Version: v8 builds from tip, 3807927f46dda120dd7c5192e1313a1188cae83a, and c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 Operating System: Ubuntu 14.0.4.5 x64 REPRODUCTION CASE Running my build of d8 either with asan or with valgrind like: ./d8 asan-crash.js or valgrind ./d8 asan-crash.js. I built the asan builds with clang 3.5.2 and the uninstrumented builds with gcc 4.8.4. Both builds cause error(s) on my box. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: asan memory leak; valgrind error Please let me know if this submission is eligible for a bug bounty. Thanks!
,
Sep 8 2016
,
Sep 8 2016
,
Sep 8 2016
The test depends on garbage collection being called at the end of program. Does the leak still reproduce with d8 --invoke-weak-callbacks asan-crash.js?
,
Sep 8 2016
No, the leak doesn't reproduce when --invoke-weak-callbacks is used. Interesting! Is this an issue at all then? Do you mind explaining a bit what --invoke-weak-callbacks does?
,
Sep 8 2016
Thanks, then it is not a real issue. --invoke-weak-callbacks forces garbage collection at the end of d8 program. The malloced Collator object is bound to JSObject and thus depends on garbage collection in JS heap to be freed.
,
Nov 8 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by wfh@chromium.org
, Sep 7 2016Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Pri-2 Type-Bug
Status: Untriaged (was: Unconfirmed)